Pharming Attack Comes to Home Routers

On January 22, 2008, Symantec announced that cyber criminals were remotely redirecting the DNS server of home network routers. Thus, whenever users would key something into banking, financial, or other reliable website, their browser would be led to a fake or phishing site.

This kind of attack succeeds simply when a victim views a web page or an e-mail in which the attacker embeds a malicious JavaScript code or HTML.

The operation, known as pharming, normally aims attack straight to the DNS servers, but the current assault is on home routers. Malicious programmers employ infected web pages or e-mails to install code on systems that modifies the configuration of wireless routers. Consequently, the router reads the web address incorrectly and diverts visiting traffic to bogus pages purporting to be real.

When the page asks for a login, victims would enter the information without the slightest suspicion. In the process, the hacker would steal the password, and login all other private information.

In one similar attack, attackers embedded malicious code in an e-mail posing to offer users an e-card at the gusanito.com site, which belongs to a major Mexican bank. The malicious e-mail also carried an HTML IMG tag, which resulted in a request of HTTP GET type to the home router.

The request changed the router's DNS configuration to map the URL of the Mexican banking site to the attacker's site. Once the DNS settings are changed, the attacker takes over any computer that browses the Internet via that router. Criminals practicing this intend to redirect visitors to financial and banking sites, which connect to bogus destinations where login credentials are captured.

The new exploit is more harmful compared to the original idea because it exploits routers that function even without administrative passwords. But in the original pharming attack, the hacker had to correctly determine the administrative password to get entry into the target router.

Symantec suggests users who didn't create a new password or changed the existing one over some time, to do it now. This would most appropriately stop pharmers from digging through users' privacy, the security company said.

Related article: Pharming Attack- An Emerging Threat in India

» SPAMfighter News - 2/1/2008